In many organizations, senior executives and boards of directors think of the dark web as a mysterious place where criminals and malicious hackers buy and sell illicit goods, exchanging information via encrypted messaging, and using various cryptocurrencies for illegal transactions. In many cases, these activities and processes are ambiguous, and more specifically, the risks these activities pose to their organization, brand value, employees and customers are obfuscated.
Enterprises with a mature cybersecurity posture will often maintain a monitoring effort for dark web content and communications. In this blog, I’d like to explore the nature of risks that dark web markets pose, in particular, and how they should inform an organization’s overall cyber risk efforts.
How do dark web markets work?
As described in our recent piece, titled the Hitchhiker’s Guide to the Dark Web, dark web marketplaces are amazingly similar to online shopping sites that we all use like Amazon, Craig’s List, eBay and the like – as well as the type of online shopping experience that is provided by retailers like Costco, Target, Walmart, etc. While there are diverse ecosystems across the underground economy, the marketplaces we’re discussing here resemble open-air, crowded bazaars. We dive into the details in our Hitchhiker’s Guide, but in short, here you’ll find a lot of fraud-related products for sale from many vendors. The products lack differentiation, but vendors make bold claims and apply pressure to make a sale.
The biggest differences, other than the fact that dark web markets are in business to facilitate selling and buying of various types of illicit goods – stolen credentials, credit card information, corporate intellectual property, as well as drugs and weapons – involve how the buying and selling takes place.
Unlike when you go shopping on the surface web at an Amazon or a Costco, when you shop within dark web forums, you are doing so anonymously and cryptocurrency is the primary form of payment. Having said that, the tools you use will be quite similar, but with notable differences.
You will browse with a TOR browser, pay from your cryptocurrency wallet in Bitcoin or increasingly, Monero, and communicate with the merchant (seller) using a PGP email encryption tool or a privacy-focused messaging application like Telegram. Many of these market sites also provide customer service and even escrow services. And given that you may not really trust a criminal seller, they maintain their reputations and build customer trust with reviews and relevant statistics (e.g., years in business, transaction volume).
Finding and learning about dark web bazaars
While search engines such as Google don’t index dark web sites, you can get listings of dark web marketplaces (also known as darknet markets or DNMs), as well as read news about them on sites that Google does index such as DarkNetLlive and DarknetOne. You’ll find exhaustive dark web market listings on these sites, along with the types of goods and services that they provide, the currencies they accept, and the dark web URLs where they can be found (typically .onion domain links that can be accessed from a TOR browser).
The articles and market listings are useful for denizens of the dark web because they highlight trends around marketplace popularity and tools for shopping at them, discuss marketplaces that are shut down, and often the criminal prosecutions that led to this occurrence. They also provide useful “how-to” guides for those that are new to these underground forums and marketplaces.
Current events in the DWM world
As mentioned, dark web marketplaces face investigations and prosecution from law enforcement agencies in countries that don’t condone or harbor dark web criminals. They face investigations where law enforcement can get cooperation from the countries where these cybercriminals reside and/or where the website is hosted.
In April of last year, the mother of all dark web marketplaces – Hydra – was taken down. German authorities seized their servers as well as approximately $25M USD in Bitcoin, and the U.S. Treasury Department’s Office of Foreign Assets Control (AFAC) imposed sanctions on both Hydra and Garantex, a Russian crypto exchange that they believe had processed around $100M USD in illicit purchases.
But law enforcement actions and sanctions taken by western authorities seem to do little to disrupt the overall success of dark web markets. After law enforcement took Hydra down, there was some jockeying by other Russian DNMs that resulted in four threat groups responsible for 80% market share by the end of 2022.
This diagram illustrates how buyers on DNMs will migrate from one to another upon closure of a preferred market. By December 2022, Russian DNMs had the biggest month ever, exceeding $130M USD in sales. And as for how U.S. sanctions have affected the Garantex crypto exchange, they had $18.3B USD in transaction volume for the year ending February 2023, more than double its previous annual volume.
Is your customer data for sale?
While darknet markets may be best known for trafficking in illegal drugs, selling stolen personal data about individuals and organizations is ubiquitous across these forums. In this instance, the darknet has an entire ecosystem of players that operate covering the entire lifecycle from using tools that can be purchased in darknet markets to carry out malicious attacks intended to breach an organization – through to the sale and subsequent purchases of compromised personal data used to defraud targeted individuals and organizations.
A recent study into the market for stolen data products by darknet marketplaces noted that over six months, ending April 2021, there were more than 2,000 vendors advertising almost 100K stolen personal datasets across 30 marketplaces, generating 600K+ transactions, resulting in more than $140M in total revenue.
They concluded that there exists “a thriving underground economy and illicit supply chain enabled by darknet markets. As long as data is routinely stolen, there are likely to be marketplaces for the stolen information.”
You should note, however, that this amount does not include the ultimate proceeds that the criminal at the end of this supply chain garners from their efforts to perpetrate fraud on the individuals whose personal information was compromised. The U.S. Federal Trade Commission (FTC) estimates that U.S. consumers lost nearly $8.8 billion to scams in 2022, a significant portion of which can be attributed to this dark web underworld ecosystem of players.
When your organization experiences a data breach of personal data, you should be aware of how that data can flow through this ecosystem and ultimately result in financial harm to your customers.
How to protect your organization
Data breaches, combined with the transactional nature of the dark web for stolen personal data, result in many dimensions of risk to your organization. While you clearly need to invest in protecting your customer data, you also must accept that despite your best efforts, an organizational data breach may still occur.
It is for this reason that you must be both diligent in adopting cybersecurity technologies to promptly detect threats across your expanding external attack surface; you also need to be informed as to the potential level of harm to your customers affected in a data breach, based on monitoring dark web criminal activity.
To address end-to-end organizational risks in this environment, cybersecurity strategies must become more proactive, investing in cyber threat intelligence (CTI) to identify threats and reduce threat exposure. Relying on cyber event response is not enough. A recent VentureBeat article emphasizes this approach based on feedback from CISOs, and it notes Gartner’s view that “SecOps’ goal is to create a proactive risk understanding and enable threat exposure reduction as well as detection of, and response to, cyber events that negatively affect the organization.”
Most companies don’t have the resources or wherewithal to create a threat intelligence capability on their own. As a result, the most cost-effective and efficient path to enable this type of proactive effort is by engaging a threat intelligence and dark web monitoring partner. Reputable vendors will offer automated technologies for monitoring the dark web combined with human intelligence and activity carried out by established dark web operatives, as part of a managed threat intelligence service. The dark web is complex and intentionally noisy to prevent interruptions to their illicit operations. The right partner should have significant first-hand experience operating across these ecosystems to provide the context needed to take the right actions. Ensuring the intelligence or dark web provider you select understands the environmental nuances can be the determining factor in an engagement’s success or failure.
You can learn more about ZeroFox’s dark ops approach here.